Think twice before logging into Facebook with free WiFi access — unless you don’t mind snoopers reading and potentially altering your profile.
A software developer is hoping to educate users about the dangers of using unsecured WiFi networks with a computer program that makes it easy to hack into Facebook and Twitter accounts.
With a download of Firesheep, a plug-in for Mozilla’s FireFox web browser, all it takes is patience and a couple clicks to access someone’s profile on a variety of websites, also including the photo-sharing site Flickr and the WordPress blogging platform.
The program sniffs out log ons over the network and connects Firesheep users with those accounts.
“Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web,” wrote Seattle-based Eric Butler in a blog post explaining his program.
Butler, who declined interview requests, said that not all websites are vulnerable to Firesheep, but too many sites aren’t secure enough to thwart hackers. While typed-in login information may be protected, the user-identifying information in cookies — small text files that websites access on a user’s computer — are not.
“On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy,” Butler wrote.
“The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL.”
In just over 24 hours, Firesheep was downloaded more than 129,000 times. Among the users was Ian Robertson, an IT professional in Ottawa who took his laptop to a couple of local coffee shops to give the program a test drive with a colleague.
“I was able to see about half a dozen accounts on Facebook and was able to actually log into their accounts, view all their photos, all their private information, their phone numbers — anything,” said Robertson.
“Just for a test with one of my colleagues I logged into his profile and I was able to change his status to single. And within about 10 minutes his girlfriend commented and said, ‘Why??'”
Robertson said he was surprised how easy it was to use and was concerned that others might download it for far more malicious purposes than he did.
“You feel kind of powerful, I guess, like you could just go in there and spam away if you wanted to,” he said.
Firesheep is on the radar of Canada’s privacy commissioner but there have been no public inquiries about the program and there is no investigation ongoing, said spokeswoman Anne-Marie Hayden.
She did note the Personal Information Protection and Electronic Documents Act requires that companies use safeguards to protect personal data.
“Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification,” reads Section 7 of the act, which also states that protection should include physical and technological measures “for example, the use of passwords and encryption.”
“Because we haven’t investigated this issue we can’t say whether a particular site has violated the safeguards provision of (the act),” Hayden said.
In a statement, Facebook said it’s working on beefing up its encryption and warned about the risks of using the site over WiFi.
“We have been making progress testing SSL access to Facebook and hope to provide it as an option in the coming months,” the statement reads.
“As always, we advise people to use caution when sending or receiving information over unsecured Wi-Fi networks.”
Kris Constable, founder of the Victoria-based company PrivaSecTech, said the security problems posed by unsecure wireless networks might be news to the general public, but they’ve long been exploited by hackers.
Firesheep only takes away the barrier to entry for wannabe hackers.
“The thing it’s done is made the attack a lot prettier … it’s kind of what hacking looks like in the movies,” Constable said.
He hopes Firesheep will finally put enough pressure on business leaders to invest in better encryption.
“When you add something like encryption to any technology it’s going to cost businesses more to implement so they’re not motivated to do it, even though it’s going to make people more secure,” he said.
“But hopefully (Firesheep) is going to force businesses to use more encryption and I think with more awareness … people are going to actually start thinking, ‘Well, maybe when I’m going to talk about sensitive things I need to start encrypting my emails.’ People will start thinking with every website they go to and every email they send, ‘Is it encrypted or not?'”
To protect against getting hacked while using open WiFi, Butler recommends another FireFox plug-in called HTTPS-Everywhere, created by the Electronic Frontier Foundation. It protects against data leaking out while using sites like Facebook, Twitter, Amazon, WordPress.com blogs and PayPal.